# For the curious:

# 0.9.5a soversion = 0

# 0.9.6  soversion = 1

# 0.9.6a soversion = 2

# 0.9.6c soversion = 3

# 0.9.7a soversion = 4

# 0.9.7ef soversion = 5

# 0.9.8ab soversion = 6

# 0.9.8g soversion = 7

# 0.9.8jk + EAP-FAST soversion = 8

%define soversion 8

# Number of threads to spawn when testing some threading fixes.

%define thread_test_threads %{?threads:%{threads}}%{!?threads:1}

# Arches on which we need to prevent arch conflicts on opensslconf.h, must

# also be handled in opensslconf-new.h.

%define multilib_arches %{ix86} ia64 ppc ppc64 s390 s390x sparcv9 sparc64 x86_64

# Arches for which we don't build subpackages.

%define optimize_arches i686

Summary: A general purpose cryptography library with TLS implementation

Name: openssl

Version: 0.9.8n

Release: 2%{?dist}

# We remove certain patented algorithms from the openssl source tarball

# with the hobble-openssl script which is included below.

Source: openssl-%{version}-usa.tar.bz2

Source1: hobble-openssl

Source2: Makefile.certificate

Source6: make-dummy-cert

Source8: openssl-thread-test.c

Source9: opensslconf-new.h

Source10: opensslconf-new-warning.h

# Build changes

Patch0: openssl-0.9.8m-redhat.patch

Patch1: openssl-0.9.8a-defaults.patch

Patch2: openssl-0.9.8a-link-krb5.patch

Patch3: openssl-0.9.8j-soversion.patch

Patch4: openssl-0.9.8m-enginesdir.patch

Patch5: openssl-0.9.8a-no-rpath.patch

Patch6: openssl-0.9.8b-test-use-localhost.patch

Patch7: openssl-0.9.8k-shlib-version.patch

Patch8: openssl-1.0.0-timezone.patch

# Bug fixes

Patch22: openssl-0.9.8k-x509-name-cmp.patch

Patch23: openssl-0.9.8m-default-paths.patch

# Functionality changes

Patch32: openssl-0.9.8g-ia64.patch

Patch33: openssl-0.9.8m-ca-dir.patch

Patch34: openssl-0.9.6-x509.patch

Patch35: openssl-0.9.8j-version-add-engines.patch

Patch38: openssl-0.9.8m-reuse-cipher-change.patch

Patch39: openssl-0.9.8g-ipv6-apps.patch

Patch40: openssl-0.9.8j-nocanister.patch

Patch41: openssl-0.9.8m-use-fipscheck.patch

Patch42: openssl-0.9.8m-fipscheck-hmac.patch

Patch44: openssl-0.9.8m-kernel-fipsmode.patch

Patch45: openssl-0.9.8j-env-nozlib.patch

Patch46: openssl-0.9.8m-eap-fast.patch

Patch47: openssl-0.9.8j-readme-warning.patch

Patch48: openssl-0.9.8j-bad-mime.patch

Patch49: openssl-0.9.8j-fips-no-pairwise.patch

Patch50: openssl-0.9.8j-fips-rng-seed.patch

Patch51: openssl-0.9.8m-multi-crl.patch

# Backported fixes including security fixes

Patch60: openssl-0.9.8n-cve-2010-0742.patch

License: OpenSSL

Group: System Environment/Libraries

URL: http://www.openssl.org/

BuildRoot: %{_tmppath}/%{name}-%{version}-root

BuildRequires: mktemp, krb5-devel, perl, sed, zlib-devel, /usr/bin/cmp

BuildRequires: /usr/bin/rename

Requires: mktemp, ca-certificates >= 2008-5

%description

The OpenSSL toolkit provides support for secure communications between

machines. OpenSSL includes a certificate management tool and shared

libraries which provide various cryptographic algorithms and

protocols.

%package devel

Summary: Files for development of applications which will use OpenSSL

Group: Development/Libraries

Requires: %{name} = %{version}-%{release}, krb5-devel, zlib-devel

Requires: pkgconfig

%description devel

OpenSSL is a toolkit for supporting cryptography. The openssl-devel

package contains include files needed to develop applications which

support various cryptographic algorithms and protocols.

%package static

Summary:  Libraries for static linking of applications which will use OpenSSL

Group: Development/Libraries

Requires: %{name}-devel = %{version}-%{release}

%description static

OpenSSL is a toolkit for supporting cryptography. The openssl-static

package contains static libraries needed for static linking of

applications which support various cryptographic algorithms and

protocols.

%package perl

Summary: Perl scripts provided with OpenSSL

Group: Applications/Internet

Requires: perl

Requires: %{name} = %{version}-%{release}

%description perl

OpenSSL is a toolkit for supporting cryptography. The openssl-perl

package provides Perl scripts for converting certificates and keys

from other formats to the formats used by the OpenSSL toolkit.

%prep

%setup -q

%{SOURCE1} > /dev/null

%patch0 -p1 -b .redhat

%patch1 -p1 -b .defaults

# Fix link line for libssl (bug #111154).

%patch2 -p1 -b .krb5

%patch3 -p1 -b .soversion

%patch4 -p1 -b .enginesdir

%patch5 -p1 -b .no-rpath

%patch6 -p1 -b .use-localhost

%patch7 -p1 -b .shlib-version

%patch8 -p1 -b .timezone

%patch22 -p1 -b .name-cmp

%patch23 -p1 -b .default-paths

%patch32 -p1 -b .ia64

%patch33 -p1 -b .ca-dir

%patch34 -p1 -b .x509

%patch35 -p1 -b .version-add-engines

%patch38 -p1 -b .cipher-change

%patch39 -p1 -b .ipv6-apps

%patch40 -p1 -b .nocanister

%patch41 -p1 -b .use-fipscheck

%patch42 -p1 -b .fipscheck-hmac

%patch44 -p1 -b .fipsmode

%patch45 -p1 -b .env-nozlib

%patch46 -p1 -b .eap-fast

%patch47 -p1 -b .warning

%patch48 -p1 -b .bad-mime

%patch49 -p1 -b .no-pairwise

%patch50 -p1 -b .rng-seed

%patch51 -p1 -b .multi-crl

%patch60 -p1 -b .originfo

# Modify the various perl scripts to reference perl in the right location.

perl util/perlpath.pl `dirname %{__perl}`

# Generate a table with the compile settings for my perusal.

touch Makefile

make TABLE PERL=%{__perl}

%build 

# Figure out which flags we want to use.

# default

sslarch=%{_os}-%{_arch}

%ifarch %ix86

sslarch=linux-elf

if ! echo %{_target} | grep -q i686 ; then

	sslflags="no-asm 386"

fi

%endif

%ifarch sparcv9

sslarch=linux-sparcv9

sslflags=no-asm

%endif

%ifarch sparc64

sslarch=linux64-sparcv9

sslflags=no-asm

%endif

%ifarch alpha alphaev56 alphaev6 alphaev67

sslarch=linux-alpha-gcc

%endif

%ifarch s390 sh3eb sh4eb

sslarch="linux-generic32 -DB_ENDIAN"

%endif

%ifarch s390x

sslarch="linux-generic64 -DB_ENDIAN"

%endif

%ifarch %{arm} sh3 sh4

sslarch=linux-generic32

%endif

# ia64, x86_64, ppc, ppc64 are OK by default

# Configure the build tree.  Override OpenSSL defaults with known-good defaults

# usable on all platforms.  The Configure script already knows to use -fPIC and

# RPM_OPT_FLAGS, so we can skip specifiying them here.

./Configure \

	--prefix=/usr --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \

	zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \

	enable-cms no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa shared \

	--with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \

	--with-krb5-dir=/usr ${sslarch} fipscanisterbuild

# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be

# marked as not requiring an executable stack.

RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack"

make depend

make all

# Generate hashes for the included certs.

make rehash

%check

# Verify that what was compiled actually works.

# We must revert patch33 before tests otherwise they will fail

patch -p1 -R < %{PATCH33}

LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}

export LD_LIBRARY_PATH

make -C test apps tests

%{__cc} -o openssl-thread-test \

	`krb5-config --cflags` \

	-I./include \

	$RPM_OPT_FLAGS \

	%{SOURCE8} \

	-L. \

	-lssl -lcrypto \

	`krb5-config --libs` \

	-lpthread -lz -ldl

./openssl-thread-test --threads %{thread_test_threads}

# Add generation of HMAC checksum of the final stripped library

%define __spec_install_post \

    %{?__debug_package:%{__debug_install_post}} \

    %{__arch_install_post} \

    %{__os_install_post} \

    fips/fips_standalone_sha1 $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{version}.hmac \

    ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{soversion}.hmac \

    fips/fips_standalone_sha1 $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \

    ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \

%{nil}

%install

[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT

# Install OpenSSL.

install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl}

make INSTALL_PREFIX=$RPM_BUILD_ROOT install

make INSTALL_PREFIX=$RPM_BUILD_ROOT install_docs

# OpenSSL install doesn't use correct _libdir on 64 bit archs

[ "%{_libdir}" != /usr/lib ] && mv $RPM_BUILD_ROOT/usr/lib/lib*.so.%{soversion} $RPM_BUILD_ROOT%{_libdir}/

mv $RPM_BUILD_ROOT/usr/lib/engines $RPM_BUILD_ROOT%{_libdir}/openssl

mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man/* $RPM_BUILD_ROOT%{_mandir}/

rmdir $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man

mv $RPM_BUILD_ROOT/usr/lib/* $RPM_BUILD_ROOT%{_libdir}/ || :

rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}

for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do

	chmod 755 ${lib}

	ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`

	ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}

done

# Install a makefile for generating keys and self-signed certs, and a script

# for generating them on the fly.

mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs

install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/Makefile

install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/make-dummy-cert

# Make sure we actually include the headers we built against.

for header in $RPM_BUILD_ROOT%{_includedir}/openssl/* ; do

	if [ -f ${header} -a -f include/openssl/$(basename ${header}) ] ; then

		install -m644 include/openssl/`basename ${header}` ${header}

	fi

done

# Rename man pages so that they don't conflict with other system man pages.

pushd $RPM_BUILD_ROOT%{_mandir}

for manpage in man*/* ; do

	if [ -L ${manpage} ]; then

		TARGET=`ls -l ${manpage} | awk '{ print $NF }'`

		ln -snf ${TARGET}ssl ${manpage}ssl

		rm -f ${manpage}

	else

		mv ${manpage} ${manpage}ssl

	fi

done

for conflict in passwd rand ; do

	rename ${conflict} ssl${conflict} man*/${conflict}*

done

popd

# Pick a CA script.

pushd  $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc

mv CA.sh CA

popd

mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA

mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private

# Ensure the openssl.cnf timestamp is identical across builds to avoid

# mulitlib conflicts and unnecessary renames on upgrade

touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf

# Fix libdir.

pushd $RPM_BUILD_ROOT/%{_libdir}/pkgconfig

for i in *.pc ; do

	sed 's,^libdir=${exec_prefix}/lib,libdir=${exec_prefix}/%{_lib},g' \

		$i >$i.tmp && \

	cat $i.tmp >$i && \

	rm -f $i.tmp

done

popd

# Determine which arch opensslconf.h is going to try to #include.

basearch=%{_arch}

%ifarch %{ix86}

basearch=i386

%endif

%ifarch sparcv9

basearch=sparc

%endif

%ifarch sparc64

basearch=sparc64

%endif

%ifarch %{multilib_arches}

# Do an opensslconf.h switcheroo to avoid file conflicts on systems where you

# can have both a 32- and 64-bit version of the library, and they each need

# their own correct-but-different versions of opensslconf.h to be usable.

install -m644 %{SOURCE10} \

	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h

cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h >> \

	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h

install -m644 %{SOURCE9} \

	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h

%endif

%ifarch %{optimize_arches}

# Remove bits which belong in subpackages.

rm -rf $RPM_BUILD_ROOT/%{_prefix}/include/openssl

rm -rf $RPM_BUILD_ROOT/%{_libdir}/*.a

rm -rf $RPM_BUILD_ROOT/%{_libdir}/*.so

rm -rf $RPM_BUILD_ROOT/%{_libdir}/pkgconfig

rm -rf $RPM_BUILD_ROOT/%{_mandir}/man3/*

rm -rf $RPM_BUILD_ROOT/%{_bindir}/c_rehash

rm -rf $RPM_BUILD_ROOT/%{_mandir}/man1*/*.pl*

rm -rf $RPM_BUILD_ROOT/%{_sysconfdir}/pki/tls/misc/*.pl

%endif

# Remove unused files from upstream fips support

rm -rf $RPM_BUILD_ROOT/%{_bindir}/openssl_fips_fingerprint

rm -rf $RPM_BUILD_ROOT/%{_libdir}/fips_premain.*

rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*

%clean

[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT

%files 

%defattr(-,root,root)

%doc FAQ LICENSE CHANGES NEWS INSTALL README

%doc doc/c-indentation.el doc/openssl.txt

%doc doc/openssl_button.html doc/openssl_button.gif

%doc doc/ssleay.txt

%dir %{_sysconfdir}/pki/tls

%dir %{_sysconfdir}/pki/tls/certs

%{_sysconfdir}/pki/tls/certs/make-dummy-cert

%{_sysconfdir}/pki/tls/certs/Makefile

%dir %{_sysconfdir}/pki/tls/misc

%{_sysconfdir}/pki/tls/misc/CA

%dir %{_sysconfdir}/pki/CA

%dir %{_sysconfdir}/pki/CA/private

%{_sysconfdir}/pki/tls/misc/c_*

%{_sysconfdir}/pki/tls/private

%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf

%attr(0755,root,root) %{_bindir}/openssl

%attr(0755,root,root) %{_libdir}/*.so.%{version}

%attr(0755,root,root) %{_libdir}/*.so.%{soversion}

%attr(0644,root,root) %{_libdir}/.libcrypto.so.*.hmac

%attr(0644,root,root) %{_libdir}/.libssl.so.*.hmac

%attr(0755,root,root) %{_libdir}/openssl

%attr(0644,root,root) %{_mandir}/man1*/[ABD-Zabcd-z]*

%attr(0644,root,root) %{_mandir}/man5*/*

%attr(0644,root,root) %{_mandir}/man7*/*

%ifnarch %{optimize_arches}

%files devel

%defattr(-,root,root)

%{_prefix}/include/openssl

%attr(0755,root,root) %{_libdir}/*.so

%attr(0644,root,root) %{_mandir}/man3*/*

%attr(0644,root,root) %{_libdir}/pkgconfig/*.pc

%files static

%defattr(-,root,root)

%attr(0644,root,root) %{_libdir}/*.a

%files perl

%defattr(-,root,root)

%attr(0755,root,root) %{_bindir}/c_rehash

%attr(0644,root,root) %{_mandir}/man1*/*.pl*

%dir %{_sysconfdir}/pki/tls/misc

%{_sysconfdir}/pki/tls/misc/*.pl

%endif

%post -p /sbin/ldconfig

%postun -p /sbin/ldconfig

%changelog

* Wed Jun  2 2010 Tomas Mraz <tmraz@redhat.com> 0.9.8n-2

- fix CVE-2010-0742

- set UTC timezone on pod2man run (#578842)

* Thu Mar 25 2010 Tomas Mraz <tmraz@redhat.com> 0.9.8n-1

- fix CVE-2010-0740

* Mon Mar 22 2010 Tomas Mraz <tmraz@redhat.com> 0.9.8m-1

- fix CVE-2009-3245 CVE-2009-3555 CVE-2009-4355 CVE-2010-0433

* Thu May 21 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-5

- fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379

  (DTLS DoS problems) (#501253, #501254, #501572)

* Tue Apr 21 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-4

- support compatibility DTLS mode for CISCO AnyConnect (#464629)

* Fri Apr 17 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-3

- correct the SHLIB_VERSION define

* Wed Apr 15 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-2

- add support for multiple CRLs with same subject

- load only dynamic engine support in FIPS mode

* Thu Mar 25 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-1

- update to new upstream release (minor bug fixes, security

  fixes and machine code optimizations only)

* Thu Mar 19 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8j-10

- move libraries to /usr/lib (#239375)

* Fri Mar 13 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8j-9

- add a static subpackage

* Thu Feb 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.8j-8

- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild

* Mon Feb  2 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8j-7

- must also verify checksum of libssl.so in the FIPS mode

- obtain the seed for FIPS rng directly from the kernel device

- drop the temporary symlinks

* Mon Jan 26 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8j-6

- drop the temporary triggerpostun and symlinking in post

- fix the pkgconfig files and drop the unnecessary buildrequires

  on pkgconfig as it is a rpmbuild dependency (#481419)

* Sat Jan 16 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8j-5

- add temporary triggerpostun to reinstate the symlinks

* Sat Jan 16 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8j-4

- no pairwise key tests in non-fips mode (#479817)

* Fri Jan 16 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8j-3

- even more robust test for the temporary symlinks

* Fri Jan 16 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8j-2

- try to ensure the temporary symlinks exist

* Thu Jan 15 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8j-1

- new upstream version with necessary soname bump (#455753)

- temporarily provide symlink to old soname to make it possible to rebuild

  the dependent packages in rawhide

- add eap-fast support (#428181)

- add possibility to disable zlib by setting 

- add fips mode support for testing purposes

- do not null dereference on some invalid smime files

- add buildrequires pkgconfig (#479493)

* Sun Aug 10 2008 Tomas Mraz <tmraz@redhat.com> 0.9.8g-11

- do not add tls extensions to server hello for SSLv3 either

* Mon Jun  2 2008 Joe Orton <jorton@redhat.com> 0.9.8g-10

- move root CA bundle to ca-certificates package

* Wed May 28 2008 Tomas Mraz <tmraz@redhat.com> 0.9.8g-9

- fix CVE-2008-0891 - server name extension crash (#448492)

- fix CVE-2008-1672 - server key exchange message omit crash (#448495)

* Tue May 27 2008 Tomas Mraz <tmraz@redhat.com> 0.9.8g-8

- super-H arch support

- drop workaround for bug 199604 as it should be fixed in gcc-4.3

* Mon May 19 2008 Tom "spot" Callaway <tcallawa@redhat.com> 0.9.8g-7

- sparc handling

* Mon Mar 10 2008 Joe Orton <jorton@redhat.com> 0.9.8g-6

- update to new root CA bundle from mozilla.org (r1.45)

* Wed Feb 20 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 0.9.8g-5

- Autorebuild for GCC 4.3

* Thu Jan 24 2008 Tomas Mraz <tmraz@redhat.com> 0.9.8g-4

- merge review fixes (#226220)

- adjust the SHLIB_VERSION_NUMBER to reflect library name (#429846)

* Thu Dec 13 2007 Tomas Mraz <tmraz@redhat.com> 0.9.8g-3

- set default paths when no explicit paths are set (#418771)

- do not add tls extensions to client hello for SSLv3 (#422081)

* Tue Dec  4 2007 Tomas Mraz <tmraz@redhat.com> 0.9.8g-2

- enable some new crypto algorithms and features

- add some more important bug fixes from openssl CVS

* Mon Dec  3 2007 Tomas Mraz <tmraz@redhat.com> 0.9.8g-1

- update to latest upstream release, SONAME bumped to 7

* Mon Oct 15 2007 Joe Orton <jorton@redhat.com> 0.9.8b-17

- update to new CA bundle from mozilla.org

* Fri Oct 12 2007 Tomas Mraz <tmraz@redhat.com> 0.9.8b-16

- fix CVE-2007-5135 - off-by-one in SSL_get_shared_ciphers (#309801)

- fix CVE-2007-4995 - out of order DTLS fragments buffer overflow (#321191)

- add alpha sub-archs (#296031)

* Tue Aug 21 2007 Tomas Mraz <tmraz@redhat.com> 0.9.8b-15

- rebuild

* Fri Aug  3 2007 Tomas Mraz <tmraz@redhat.com> 0.9.8b-14

- use localhost in testsuite, hopefully fixes slow build in koji

- CVE-2007-3108 - fix side channel attack on private keys (#250577)

- make ssl session cache id matching strict (#233599)

* Wed Jul 25 2007 Tomas Mraz <tmraz@redhat.com> 0.9.8b-13

- allow building on ARM architectures (#245417)

- use reference timestamps to prevent multilib conflicts (#218064)

- -devel package must require pkgconfig (#241031)

* Mon Dec 11 2006 Tomas Mraz <tmraz@redhat.com> 0.9.8b-12

- detect duplicates in add_dir properly (#206346)

* Thu Nov 30 2006 Tomas Mraz <tmraz@redhat.com> 0.9.8b-11

- the previous change still didn't make X509_NAME_cmp transitive

* Thu Nov 23 2006 Tomas Mraz <tmraz@redhat.com> 0.9.8b-10

- make X509_NAME_cmp transitive otherwise certificate lookup

  is broken (#216050)

* Thu Nov  2 2006 Tomas Mraz <tmraz@redhat.com> 0.9.8b-9

- aliasing bug in engine loading, patch by IBM (#213216)

* Mon Oct  2 2006 Tomas Mraz <tmraz@redhat.com> 0.9.8b-8

- CVE-2006-2940 fix was incorrect (#208744)

* Mon Sep 25 2006 Tomas Mraz <tmraz@redhat.com> 0.9.8b-7

- fix CVE-2006-2937 - mishandled error on ASN.1 parsing (#207276)

- fix CVE-2006-2940 - parasitic public keys DoS (#207274)

- fix CVE-2006-3738 - buffer overflow in SSL_get_shared_ciphers (#206940)

- fix CVE-2006-4343 - sslv2 client DoS (#206940)

* Tue Sep  5 2006 Tomas Mraz <tmraz@redhat.com> 0.9.8b-6

- fix CVE-2006-4339 - prevent attack on PKCS#1 v1.5 signatures (#205180)

* Wed Aug  2 2006 Tomas Mraz <tmraz@redhat.com> - 0.9.8b-5

- set buffering to none on stdio/stdout FILE when bufsize is set (#200580)

  patch by IBM

* Fri Jul 28 2006 Alexandre Oliva <aoliva@redhat.com> - 0.9.8b-4.1

- rebuild with new binutils (#200330)

* Fri Jul 21 2006 Tomas Mraz <tmraz@redhat.com> - 0.9.8b-4

- add a temporary workaround for sha512 test failure on s390 (#199604)

* Thu Jul 20 2006 Tomas Mraz <tmraz@redhat.com>

- add ipv6 support to s_client and s_server (by Jan Pazdziora) (#198737)

- add patches for BN threadsafety, AES cache collision attack hazard fix and

  pkcs7 code memleak fix from upstream CVS

* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 0.9.8b-3.1

- rebuild

* Wed Jun 21 2006 Tomas Mraz <tmraz@redhat.com> - 0.9.8b-3

- dropped libica and ica engine from build

* Wed Jun 21 2006 Joe Orton <jorton@redhat.com>

- update to new CA bundle from mozilla.org; adds CA certificates

  from netlock.hu and startcom.org

* Mon Jun  5 2006 Tomas Mraz <tmraz@redhat.com> - 0.9.8b-2

- fixed a few rpmlint warnings

- better fix for #173399 from upstream

- upstream fix for pkcs12

* Thu May 11 2006 Tomas Mraz <tmraz@redhat.com> - 0.9.8b-1

- upgrade to new version, stays ABI compatible

- there is no more linux/config.h (it was empty anyway)

* Tue Apr  4 2006 Tomas Mraz <tmraz@redhat.com> - 0.9.8a-6

- fix stale open handles in libica (#177155)

- fix build if 'rand' or 'passwd' in buildroot path (#178782)

- initialize VIA Padlock engine (#186857)

* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 0.9.8a-5.2

- bump again for double-long bug on ppc(64)

* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 0.9.8a-5.1

- rebuilt for new gcc4.1 snapshot and glibc changes

* Thu Dec 15 2005 Tomas Mraz <tmraz@redhat.com> 0.9.8a-5

- don't include SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG

  in SSL_OP_ALL (#175779)

* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>

- rebuilt

* Tue Nov 29 2005 Tomas Mraz <tmraz@redhat.com> 0.9.8a-4

- fix build (-lcrypto was erroneusly dropped) of the updated libica

- updated ICA engine to 1.3.6-rc3

* Tue Nov 22 2005 Tomas Mraz <tmraz@redhat.com> 0.9.8a-3

- disable builtin compression methods for now until they work

  properly (#173399)

* Wed Nov 16 2005 Tomas Mraz <tmraz@redhat.com> 0.9.8a-2

- don't set -rpath for openssl binary

* Tue Nov  8 2005 Tomas Mraz <tmraz@redhat.com> 0.9.8a-1

- new upstream version

- patches partially renumbered

* Fri Oct 21 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7f-11

- updated IBM ICA engine library and patch to latest upstream version

* Wed Oct 12 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7f-10

- fix CAN-2005-2969 - remove SSL_OP_MSIE_SSLV2_RSA_PADDING which

  disables the countermeasure against man in the middle attack in SSLv2

  (#169863)

- use sha1 as default for CA and cert requests - CAN-2005-2946 (#169803)

* Tue Aug 23 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7f-9

- add *.so.soversion as symlinks in /lib (#165264)

- remove unpackaged symlinks (#159595)

- fixes from upstream (constant time fixes for DSA,

  bn assembler div on ppc arch, initialize memory on realloc)

* Thu Aug 11 2005 Phil Knirsch <pknirsch@redhat.com> 0.9.7f-8

- Updated ICA engine IBM patch to latest upstream version.

* Thu May 19 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7f-7

- fix CAN-2005-0109 - use constant time/memory access mod_exp

  so bits of private key aren't leaked by cache eviction (#157631)

- a few more fixes from upstream 0.9.7g

* Wed Apr 27 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7f-6

- use poll instead of select in rand (#128285)

- fix Makefile.certificate to point to /etc/pki/tls

- change the default string mask in ASN1 to PrintableString+UTF8String

* Mon Apr 25 2005 Joe Orton <jorton@redhat.com> 0.9.7f-5

- update to revision 1.37 of Mozilla CA bundle

* Thu Apr 21 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7f-4

- move certificates to _sysconfdir/pki/tls (#143392)

- move CA directories to _sysconfdir/pki/CA

- patch the CA script and the default config so it points to the

  CA directories

* Fri Apr  1 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7f-3

- uninitialized variable mustn't be used as input in inline

  assembly

- reenable the x86_64 assembly again

* Thu Mar 31 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7f-2

- add back RC4_CHAR on ia64 and x86_64 so the ABI isn't broken

- disable broken bignum assembly on x86_64

* Wed Mar 30 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7f-1

- reenable optimizations on ppc64 and assembly code on ia64

- upgrade to new upstream version (no soname bump needed)

- disable thread test - it was testing the backport of the

  RSA blinding - no longer needed

- added support for changing serial number to 

  Makefile.certificate (#151188)

- make ca-bundle.crt a config file (#118903)

* Tue Mar  1 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7e-3

- libcrypto shouldn't depend on libkrb5 (#135961)

* Mon Feb 28 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7e-2

- rebuild

* Mon Feb 28 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7e-1

- new upstream source, updated patches

- added patch so we are hopefully ABI compatible with upcoming

  0.9.7f

* Thu Feb 10 2005 Tomas Mraz <tmraz@redhat.com>

- Support UTF-8 charset in the Makefile.certificate (#134944)

- Added cmp to BuildPrereq

* Thu Jan 27 2005 Joe Orton <jorton@redhat.com> 0.9.7a-46

- generate new ca-bundle.crt from Mozilla certdata.txt (revision 1.32)

* Thu Dec 23 2004 Phil Knirsch <pknirsch@redhat.com> 0.9.7a-45

- Fixed and updated libica-1.3.4-urandom.patch patch (#122967)

* Fri Nov 19 2004 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-44

- rebuild

* Fri Nov 19 2004 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-43

- rebuild

* Fri Nov 19 2004 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-42

- rebuild

* Fri Nov 19 2004 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-41

- remove der_chop, as upstream cvs has done (CAN-2004-0975, #140040)

* Tue Oct 05 2004 Phil Knirsch <pknirsch@redhat.com> 0.9.7a-40

- Include latest libica version with important bugfixes

* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>

- rebuilt

* Mon Jun 14 2004 Phil Knirsch <pknirsch@redhat.com> 0.9.7a-38

- Updated ICA engine IBM patch to latest upstream version.

* Mon Jun  7 2004 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-37

- build for linux-alpha-gcc instead of alpha-gcc on alpha (Jeff Garzik)

* Tue May 25 2004 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-36

- handle %%{_arch}=i486/i586/i686/athlon cases in the intermediate

  header (#124303)

* Thu Mar 25 2004 Joe Orton <jorton@redhat.com> 0.9.7a-35

- add security fixes for CAN-2004-0079, CAN-2004-0112

* Tue Mar 16 2004 Phil Knirsch <pknirsch@redhat.com>

- Fixed libica filespec.

* Thu Mar 10 2004 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-34

- ppc/ppc64 define __powerpc__/__powerpc64__, not __ppc__/__ppc64__, fix

  the intermediate header

* Wed Mar 10 2004 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-33

- add an intermediate <openssl/opensslconf.h> which points to the right

  arch-specific opensslconf.h on multilib arches

* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>

- rebuilt

* Thu Feb 26 2004 Phil Knirsch <pknirsch@redhat.com> 0.9.7a-32

- Updated libica to latest upstream version 1.3.5.

* Tue Feb 17 2004 Phil Knirsch <pknirsch@redhat.com> 0.9.7a-31

- Update ICA crypto engine patch from IBM to latest version.

* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>

- rebuilt